ssh单点登入-第二步 mac通过kerberos,ssh连接到服务器

描述

客户端mac电脑,需要ssh到app服务器端.但是没有app服务器端权限.
需要登入kerberos,之后获取app服务器访问权限

基础

• 已完成ssh单点登入第一步
• mac电脑和kerberos服务器能够认证
• app服务器和kerberos服务器可以互相访问
• ubuntu暂时没有完成调试

流程

client: mac ==> service: appservice1.yufuid.org

app服务器端配置

安装ker客户端

sudo yum install krb5-workstation pam_krb5 -y

安装ker客户端(ubuntu)

sudo apt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config

修改ssh配置

vim /etc/ssh/sshd_config

#   $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none


# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect

修改ssh配置(ubuntu)

# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

重启ssh服务

 sudo systemctl restart sshd.service

配置ker客户端

配置文件内容与第一部中的kerberos服务器配置文件相同

这里不再重复输出配置文件内容

sudo vim /etc/krb5.conf

创建可访问服务器白名单

域名填写内容为第一步中的realms

坑点:在@YUFUID.ORG域名后面不要有空格

vim ~/.k5login

[email protected]
[email protected]

创建服务器秘钥

每台服务器需要由唯一的秘钥

使用admin账户登入kdc

这里的权限是在第一步中创建的root/admin用户

[[email protected] ~]$  sudo kadmin -p root/admin -s kadmin -p root/admin -s kerberos.yufuid.org
Authenticating as principal root/admin with password.
Password for root/[email protected]:

创建app服务器用户,用户的写法务必是host/192.168.50.100,

kadmin: addprinc -randkey host/192.168.50.100
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.

创建app服务器用的秘钥,秘钥保存位置务必是本服务器的/etc/krb5.keytab

kadmin: ktadd -k /etc/krb5.keytab host/192.168.50.100
Entry for principal host/192.168.50.100 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/192.168.50.100 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

验证krb5秘钥

sudo klist -t -e -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]

mac客户端设置

修改客户机ssh配置

vim ~/.ssh/config

Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

登入kerberos

kinit nanzhang

查看登入状态

klist 

ssh连接主机

ssh [email protected]